Restrict Shared VPC Subnetworks

More Info:

Ensure that “Restrict Shared VPC Subnetworks” policy is enforced for your GCP organizations.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of “Restrict Shared VPC Subnetworks” in GCP using GCP CLI, you can follow the below steps:Step 1: Open the Cloud ShellStep 2: Run the below command to list all the subnetworks in the shared VPC:

gcloud compute shared-vpc list-associated-resources [SHARED_VPC_NAME] --project=[HOST_PROJECT_ID] --subnet

Note: Replace [SHARED_VPC_NAME] and [HOST_PROJECT_ID] with the actual shared VPC name and host project ID.Step 3: Run the below command to restrict the subnetworks in the shared VPC:

gcloud compute shared-vpc update [SHARED_VPC_NAME] --project=[HOST_PROJECT_ID] --no-enable-flow-logs --no-enable-private-google-access --no-enable-intra-host-mtls --no-enable-intra-host-visibility --no-enable-routes-without-logs --no-enable-vpc-flow-logs --no-enable-private-endpoint

Note: Replace [SHARED_VPC_NAME] and [HOST_PROJECT_ID] with the actual shared VPC name and host project ID.This command will disable all the shared VPC features which can be enabled on subnetworks.Step 4: Run the below command to verify the changes:

gcloud compute shared-vpc describe [SHARED_VPC_NAME] --project=[HOST_PROJECT_ID]

Note: Replace [SHARED_VPC_NAME] and [HOST_PROJECT_ID] with the actual shared VPC name and host project ID.This command will display the details of the shared VPC and confirm that the subnetworks are restricted.By following these steps, you can remediate the misconfiguration of “Restrict Shared VPC Subnetworks” in GCP using GCP CLI.

Using Python

To remediate the misconfiguration of “Restrict Shared VPC Subnetworks” for GCP using Python, follow the below steps:

First, you need to create a service account and download the JSON key for authentication.
Install the Google Cloud SDK and the necessary Python libraries.
Use the following Python code to remediate the misconfiguration:

from google.cloud import compute_v1

# Authenticate using the service account key
client = compute_v1.SubnetworksClient.from_service_account_json('path/to/service_account_key.json')

# Set the project ID and the name of the subnetwork to restrict
project_id = 'your_project_id'
subnetwork_name = 'your_subnetwork_name'

# Get the subnetwork
subnetwork = client.get(project=project_id, region='global', subnetwork=subnetwork_name)

# Set the private IP Google access to "false"
subnetwork.private_ip_google_access = False

# Update the subnetwork
response = client.update(project=project_id, region='global', subnetwork=subnetwork_name, subnetwork_resource=subnetwork)
print('Subnetwork updated:', response)

This code will set the “private_ip_google_access” property of the subnetwork to “false”, which will restrict shared VPC subnetworks.Note: Make sure to replace the “path/to/service_account_key.json”, “your_project_id”, and “your_subnetwork_name” with the actual values.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Restrict Shared VPC Subnetworks

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation